List the causes of each risk and the impacts if they happen

Making these lists helps to give your risk assessment team a clear view of the risks facing your organisation.

Causes of risks

Putting all of the causes together in a list, separate from the risk scenarios, gives another angle for seeing where risks to your organisation’s information system are coming from.

Examples of risk causes
  • The information system is deployed as an internet-facing service.
  • The information system is an attractive target to criminals or hacktivists.
  • Patches may not be applied in a timely manner.
  • Default accounts and passwords are not changed or removed.
  • When a staff member leaves the organisation, their user accounts are not disabled or removed in a timely manner.

Impacts of the risks happening

Putting all of the impacts together, separate from the risk scenarios, gives a clear overview of the negative consequences your organisation faces with its information system’s risks.

For clarity across stakeholders, state the impacts in business terms — not technical terms.

Examples of the impacts of the risks happening
  • There is reputational damage to the organisation.
  • IN-CONFIDENCE information is disclosed to an unauthorised party.
  • There is a breach of the Privacy Act 2020.
  • Service delivery is impacted due to a loss of productivity.
  • There is a loss of confidence in the service by key stakeholders.

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated